Issue with subdomains :ERR_CERT_COMMON_NAME_INVALID

[killmasta93]

---

Expected Behavior

Currently issue with SSL adding more subdomains, keeps showing :ERR_CERT_COMMON_NAME_INVALID it seems that it creates the SSL for chattest but not for admin

Steps to Reproduce

Currently this is the part of the docker compose to create the SSL

    environment:
      - PUID=1000
      - PGID=1000
      - TZ=America/Bogota
      - URL=domain.co
      - SUBDOMAINS=chattest,admin
      - VALIDATION=http
      - MAXMINDDB_LICENSE_KEY=Wxxxxxxx
      - DOCKER_MODS=linuxserver/mods:swag-maxmind|linuxserver/mods:swag-dashboard|linuxserver/mods:swag-crowdsec
      - CROWDSEC_API_KEY= dab67xxxxxxx
      - CROWDSEC_LAPI_URL=http://crowdsec:8080
      - ONLY_SUBDOMAINS=true
      - EMAIL=alerts@domain.co

Environment

OS: Ubuntu 20

[nemchik]

Can you try deleting the /config/keys folder (on your host it would be /path_to_swag_config_volume/keys) and then restart the container?

[killmasta93]

hi @nemchik thank you for the reply, so deleted that folder, then i ran the docker compose up and this is part of the log

swag         | Using Let's Encrypt as the cert provider
swag         | SUBDOMAINS entered, processing
swag         | SUBDOMAINS entered, processing
swag         | Only subdomains, no URL in cert
swag         | Sub-domains processed are:  -d chattest.domain.co -d admin.domain.co
swag         | E-mail address entered: alerts@domain.co
swag         | http validation is selected

in another part of the logs shows it creates only the chattest

swag         | 
swag         | Successfully received certificate.
swag         | Certificate is saved at: /etc/letsencrypt/live/chattest.domain.co/fullchain.pem
swag         | Key is saved at:         /etc/letsencrypt/live/chattest.domain.co/privkey.pem
swag         | This certificate expires on 2022-12-29.
swag         | These files will be updated when the certificate renews.
swag         | NEXT STEPS:
swag         | - The certificate will need to be renewed before it expires. Certbot can automatically renew the certificate in the background, but you may need to take steps to enable that functionality. See https://certbot.org/renewal-setup for instructions.
swag         | 
swag         | - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
swag         | If you like Certbot, please consider supporting our work by:
swag         |  * Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
swag         |  * Donating to EFF:                    https://eff.org/donate-le
swag         | - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

it only shows the chattest ssl

root@homelab:/swag/etc/letsencrypt/live# ls -lah
total 16K
drwx------ 3 homelab homelab 4.0K Sep 30 11:47 .
drwxr-xr-x 9 homelab homelab 4.0K Sep 30 11:47 ..
-rw-r--r-- 1 homelab homelab  740 Sep 30 11:47 README
drwxr-xr-x 2 homelab homelab 4.0K Sep 30 11:47 chattest.domain.co

thank you

[nemchik]

Does the certificate actually have both subdomains on it? The filename doesn't matter.

[aptalca]

There is only one certificate with multiple SANs.

If you post the full log (as we requested multiple times both here and on discord), we can confirm it for you

[killmasta93]

Thank you for the reply, @nemchik not sure how i can check that, the way i checked was looking at the certificate on chrome @aptalca thank you im attaching the whole log

swag         | [mod-init] Curl/JQ was not found on this system for Docker mods installing
swag         | fetch http://dl-cdn.alpinelinux.org/alpine/v3.14/main/x86_64/APKINDEX.tar.gz
swag         | fetch http://dl-cdn.alpinelinux.org/alpine/v3.14/community/x86_64/APKINDEX.tar.gz
swag         | (1/1) Installing jq (1.6-r1)
swag         | Executing busybox-1.33.1-r8.trigger
swag         | OK: 315 MiB in 233 packages
swag         | [mod-init] Attempting to run Docker Modification Logic
swag         | [mod-init] Applying linuxserver/mods:swag-maxmind files to container
swag         | [mod-init] linuxserver/mods:swag-maxmind applied to container"
swag         | [mod-init] Applying linuxserver/mods:swag-dashboard files to container
swag         | [mod-init] linuxserver/mods:swag-dashboard applied to container
swag         | [mod-init] Applying linuxserver/mods:swag-crowdsec files to container
swag         | [mod-init] linuxserver/mods:swag-crowdsec applied to container
swag         | s6-rc: info: service s6rc-oneshot-runner: starting
swag         | s6-rc: info: service s6rc-oneshot-runner successfully started
swag         | s6-rc: info: service fix-attrs: starting
swag         | s6-rc: info: service 00-legacy: starting
swag         | s6-rc: info: service 00-legacy successfully started
swag         | s6-rc: info: service fix-attrs successfully started
swag         | s6-rc: info: service legacy-cont-init: starting
swag         | cont-init: info: running /etc/cont-init.d/01-envfile
swag         | cont-init: info: /etc/cont-init.d/01-envfile exited 0
swag         | cont-init: info: running /etc/cont-init.d/02-tamper-check
swag         | cont-init: info: /etc/cont-init.d/02-tamper-check exited 0
swag         | cont-init: info: running /etc/cont-init.d/10-adduser
swag         | 
swag         | -------------------------------------
swag         |           _         ()
swag         |          | |  ___   _    __
swag         |          | | / __| | |  /  \
swag         |          | | \__ \ | | | () |
swag         |          |_| |___/ |_|  \__/
swag         | 
swag         | 
swag         | Brought to you by linuxserver.io
swag         | -------------------------------------
swag         | 
swag         | To support the app dev(s) visit:
swag         | Certbot: https://supporters.eff.org/donate/support-work-on-certbot
swag         | 
swag         | To support LSIO projects visit:
swag         | https://www.linuxserver.io/donate/
swag         | -------------------------------------
swag         | GID/UID
swag         | -------------------------------------
swag         | 
swag         | User uid:    1000
swag         | User gid:    1000
swag         | -------------------------------------
swag         | 
swag         | cont-init: info: /etc/cont-init.d/10-adduser exited 0
swag         | cont-init: info: running /etc/cont-init.d/20-config
swag         | cont-init: info: /etc/cont-init.d/20-config exited 0
swag         | cont-init: info: running /etc/cont-init.d/30-keygen
swag         | using keys found in /config/keys
swag         | cont-init: info: /etc/cont-init.d/30-keygen exited 0
swag         | cont-init: info: running /etc/cont-init.d/50-config
swag         | Variables set:
swag         | PUID=1000
swag         | PGID=1000
swag         | TZ=America/Bogota
swag         | URL=domain.co
swag         | SUBDOMAINS=chattest,admin
swag         | EXTRA_DOMAINS=
swag         | ONLY_SUBDOMAINS=true
swag         | VALIDATION=http
swag         | CERTPROVIDER=
swag         | DNSPLUGIN=
swag         | EMAIL=alerts@domain.co
swag         | STAGING=
swag         | 
swag         | Using Let's Encrypt as the cert provider
swag         | SUBDOMAINS entered, processing
swag         | SUBDOMAINS entered, processing
swag         | Only subdomains, no URL in cert
swag         | Sub-domains processed are:  -d chattest.domain.co -d admin.domain.co
swag         | E-mail address entered: alerts@domain.co
swag         | http validation is selected
swag         | Certificate exists; parameters unchanged; starting nginx
swag         | cont-init: info: /etc/cont-init.d/50-config exited 0
swag         | cont-init: info: running /etc/cont-init.d/60-renew
swag         | The cert does not expire within the next day. Letting the cron script handle the renewal attempts overnight (2:08am).
swag         | cont-init: info: /etc/cont-init.d/60-renew exited 0
swag         | cont-init: info: running /etc/cont-init.d/70-templates
swag         | cont-init: info: /etc/cont-init.d/70-templates exited 0
swag         | cont-init: info: running /etc/cont-init.d/90-custom-folders
swag         | cont-init: info: /etc/cont-init.d/90-custom-folders exited 0
swag         | cont-init: info: running /etc/cont-init.d/99-custom-files
swag         | [custom-init] no custom files found exiting...
swag         | cont-init: info: /etc/cont-init.d/99-custom-files exited 0
swag         | s6-rc: info: service legacy-cont-init successfully started
swag         | s6-rc: info: service init-mods: starting
swag         | s6-rc: info: service init-mods successfully started
swag         | s6-rc: info: service init-mod-swag-maxmind-add-package: starting
swag         | s6-rc: info: service init-mod-swag-dashboard-add-package: starting
swag         | s6-rc: info: service init-mod-swag-crowdsec: starting
swag         | **** Applying the SWAG dashboard mod... ****
swag         | **** Configuring CrowdSec nginx Bouncer ****
swag         | **** Installing/updating goaccess ****
swag         | **** libmaxminddb already installed, skipping ****
swag         | **** libmaxminddb already installed, skipping ****
swag         | s6-rc: info: service init-mod-swag-maxmind-add-package successfully started
swag         | **** Applied the SWAG dashboard mod ****
swag         | s6-rc: info: service init-mod-swag-dashboard-add-package successfully started
swag         | **** Successfully configured CrowdSec nginx Bouncer v1.0.4 ****
swag         | s6-rc: info: service init-mod-swag-crowdsec successfully started
swag         | s6-rc: info: service init-mods-package-install: starting
swag         | **** Installing all mod packages ****
swag         | fetch http://dl-cdn.alpinelinux.org/alpine/v3.14/main/x86_64/APKINDEX.tar.gz
swag         | fetch http://dl-cdn.alpinelinux.org/alpine/v3.14/community/x86_64/APKINDEX.tar.gz
swag         | (1/14) Installing libgomp (10.3.1_git20210424-r2)
swag         | (2/14) Installing gettext-libs (0.21-r0)
swag         | (3/14) Installing gettext (0.21-r0)
swag         | (4/14) Installing luajit (2.1_p20210510-r0)
swag         | (5/14) Installing lua-resty-http (0.16.1-r0)
swag         | (6/14) Installing lua-sec (1.0.1-r0)
swag         | (7/14) Installing lua5.1-libs (5.1.5-r7)
swag         | (8/14) Installing lua5.1 (5.1.5-r7)
swag         | (9/14) Installing lua5.1-socket (3.0_rc1_git20160306-r3)
swag         | (10/14) Installing lua5.1-sec (1.0.1-r0)
swag         | (11/14) Installing lua5.1-cjson (2.1.0-r10)
swag         | (12/14) Installing lua-resty-lrucache (0.09-r1)
swag         | (13/14) Installing lua-resty-core (0.1.21-r0)
swag         | (14/14) Installing nginx-mod-http-lua (1.20.2-r1)
swag         | Executing busybox-1.33.1-r8.trigger
swag         | OK: 321 MiB in 247 packages
swag         | s6-rc: info: service init-mods-package-install successfully started
swag         | s6-rc: info: service init-mod-swag-maxmind-setup: starting
swag         | Applying the maxmind mod...
swag         | Applied the maxmind mod
swag         | s6-rc: info: service init-mod-swag-maxmind-setup successfully started
swag         | s6-rc: info: service init-mods-end: starting
swag         | s6-rc: info: service init-mods-end successfully started
swag         | s6-rc: info: service init-services: starting
swag         | s6-rc: info: service init-services successfully started
swag         | s6-rc: info: service legacy-services: starting
swag         | services-up: info: copying legacy longrun cron (no readiness notification)
swag         | services-up: info: copying legacy longrun fail2ban (no readiness notification)
swag         | services-up: info: copying legacy longrun nginx (no readiness notification)
swag         | services-up: info: copying legacy longrun php-fpm (no readiness notification)
swag         | s6-rc: info: service legacy-services successfully started
swag         | s6-rc: info: service 99-ci-service-check: starting
swag         | [ls.io-init] done.
swag         | s6-rc: info: service 99-ci-service-check successfully started
swag         | nginx: [error] [lua] crowdsec.lua:46: init(): error loading recaptcha plugin: no recaptcha site key provided, can't use recaptcha
swag         | nginx: [alert] [lua] init_by_lua:8: [Crowdsec] Initialisation done
swag         | Server ready

[nemchik]

It looks like it's doing what it's supposed to. The way to check would be to visit https://chattest.domain.co and https://admin.domain.co and see if the cert is valid. If you cannot access the urls at all, that's a different story, unrelated to the cert. You should be able to access both URLs and see whatever site you're attempting to serve or proxy.

[killmasta93]

hi @nemchik thanks for the reply, So i can access both sites, attaching pictures

but here is what is odd admin.domain.co is wordpress site and chattest.domain.co is a chat server which has a widget that goes on wordpress

when I try to open the chat widget i get this,

[drizuid]

are you proxying chattest through swag? have you tried using incognito mode to rule out cache?

[killmasta93]

hi @drizuid thanks for the reply, correct both are in SWAG, correct i tried in incognito mode and deleted all cache

[drizuid]

Who do you show the cert issuer as? Do you see chattest in subject alternative names? Check both domains for that info.

[killmasta93]

Hi @drizuid thanks for the reply, this is what i get which is odd

[drizuid]

What about subject alternative names? Are you seeing different certs for both domains?

[killmasta93]

Thanks for the reply, currently i get this

[drizuid]

well, from what I can see, this all looks correct. I'm making some assumptions due to the redaction, but I see nothing wrong on the cert. You tested with incognito to rule out caching, the cert is from LE... I'm at a loss here.

[nemchik]

My next suggestion would be to try visiting these URLs from another device (different computer, or use a smartphone while on cellular data).

[killmasta93]

hi guys, so what i did nuked the container, re did the container and created a wildcard and got it working finally thank you again